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REMARK.S 

The Examiner has objected to the Specification as failing to provide proper 
antecedent basis for the claimed subject matter. More specifically, the Examiner has 
argued that "the phrase 'computer readable medium,' appears to only reasonably convey 
hardware storage and forms of portable, physical article media to one of ordinary skill in 
the art." Applicant respectfully disagrees and notes that applicant specifically claims a 
"computer program product embodied on a tangible computer readable medium" 
(emphasis added), as claimed. Additionally, applicant notes that the term 'tangible 
computer readable medium" is to be read according to the plain and ordinary' meaning 
thereof, in v tew o. i and in further v iew of the definitions provided 

in the Specification. 

Additionally, the Examiner has rejected Claims 1,3-18, 20-35, 37-47, and 49-54 
under 35 U.S.C. 1 12, second paragraph, as being indefinite for failing to particularly 
point out and distinctly claim the subject matter which applicant regards as the invention. 
In the Office Action mailed 05/22/2007. the Examiner has specifically taken issue with 
the following language as being indefinite: "more strongly." In the Amendment filed 
08/22/2007, applicant respectfully asserted that such claim language is to be read 
according to the plain and ordinary meaning thereof, in view of dictionary definitions, 
etc. The Examiner, however, has argued that "it is uncertain what the association is 
stronger than." In response, applicant respectfully asserted that the association is stronger 
than it would be without the modification of the set of rules. 

In the Office Action mailed 1 1/01/2007, the Examiner has removed the rejection 
under 35 U.S.C, 1 12. second paragraph, but has responded to applicant's above 
arguments. In particular, the Examiner has argued that applicant's above arguments are 
"not clear from the claim language " and that "it is not clear that the external program 
calls are more strongly associated with malicious computer program activity as compared 
to without the modifications."' The Examiner has also argued that "[ijt could be more 
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strongly associated with malicious computer program activity than the primary set of 
external program calls" such that "the scope of 'more strongly' cannot be ascertained." 

Applicant respectfully disagrees. For example, with respect to the independent 
claims, applicant clearly claims n >< \ >s_ aid set oft tiles such that .said at least one 
secondary set of one or more external program calls ate mote m _ t sated with 
malicious computer program activity" (see this or similar, but not necessarily identical 
language in the independent claims-emphasis added), as claimed. 'Therefore, it is clear 
that applicant's claimed "said at least one secondary' set of one or more external program 
calls are more strongly associated with malicious computer program activity" (emphasis 
added), as claimed, is definite. 

In the Office Action mailed 07/1 7/2008, the Examiner has represented the 
rejection under 35 U .S.C. 112, second paragraph, and has argued that "[t'jhe term 'more 
strongly associated' in claims i, 18, and 35 is a relative term which renders the claim 
indefinite" and has further argued that "[ajppiicam has failed to provide any actual 
rationale as to why the claims are definite." Additionally, the Examiner has argued that 
"it is unclear how modifying 'said set of rules' has any effect on a set of program calls 
that has already been logged." 

Applicant respectfully disagrees. First, applicant again notes that the association 
of the "at least one secondary set of one or more external program calls" w ith "malicious 
computer program activity" is stronger than it would be without the modification of the 
set of rules, as claimed, which is clearly definite. Additional ly, appl icant claims 
" modifying said set of roles ," where "a primary set of one or more external program calls 
matching one or more rales indicative of malicious computer program activity- from 
among a set of rules" is " identifjied] within said stream of external program calls " (see 
this or similar, but not necessarily identical language in the independent claims-emphasis 
added), as claimed, which clearly shows the relationship between the "external program 
calls" and the "modifying," as claimed. 
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The Examiner has rejected Claims 1, 8-10, 13, 17, IS, 25-27, 30, 34, 35, 42-44, 
47, and 51-54 under 35 U.S.C. 102(e) as being anticipated by van der Made (U.S. Patent 
No. 7,093,239). Applicant respectfully disagrees with such rejection, especially in view 
of the amendments made hereinabove to each of the independent claims. Specifically, 
applicant has amended the independent claims to at least substantially include the subject 
matter of former dependent Claims 53 and 54. 

With respect to independent Claims 1, 18 and 35, the Examiner has relied on Col. 
6, lines 12-24; and Col. 1 1 , lines 46-60 from the van der Made reference to make a prior 
art showing of applicant's claimed "secondary set identifying code operable to identify, 
within said stream, at least one secondary set of one or more external program calls 
associated with said primary set of one or more external program calls" (see this or 
similar, but not necessarily identical language in the independent claims). 

Applicant respectfully points out that the excerpts from the van der Made 
reference relied upon fay the Examiner merely teach u extrastin^a.b^.toi.er^Mm and 
sequence from a modified, new, unknown or suspect program," and that "|t]he behavior 
pattern is preferably used to analyze the behavior of the unknown program to determine if 
the behavior of the unknown program is malicious" (Col. 6, lines 13-17-- emphasis 
added). The excerpts from van der Made also teach that the "ABM engine then analyzes 
the first executable program and finds that its behavior pattern is altered in a manner 
indicating that a virus is active" (Col. II, lines 57-59 - emphasis added). 

However, applicant respectfully asserts that only generally disclosing that "jtjhe 
behavior pattern is preferably used to analyze the behavior of the unknown program," as 
tn van der Made, does not specifically meet a "secondary set of identifying code operable 
to identify, within said stream, at least one secondary set of one or more external program 
calls associated with said primary set of one or more external program calls " (emphasis 
added), particularly where the " primary set of one or more external program calls 
rngtchiesjone or ..more rules indicative of malicious computer program activity from 
among a set of rules" (emphasis added), in the context claimed by applicant. 
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In the Office Action mailed 07/17/2008, the Examiner has argued that "van der 
Made discloses multiple behavior patterns, where an earlier behavior pattern would be 
equivalent to the secondary set of programs calls, and a later behav ior pattern indicative 
of a vims infection would be equivalent to the primary set of program calls." 

Applicant respectfully disagrees and notes that van der Made merely discloses 
"deiej^jjngj iiu< icious o de within a computet system Irs _> \ Uing md subsequently 
analyzing a behavior pattern for each computer program introduced to the computer 
system" and "storf tug ] behavior patterns and sequences with their corresponding analysis 
results in a database/' in addition to disclosing that "[njewly infected programs can be 
tec d by am dm. u 2 . ted beho r pattern n tl progran it i erem 
to a stored behavior pattern to identify presence of an infection or payload pa ttern" 
( Abstract, not specifically cited - emphasis added). 

However, merely disclosing the storage of .analy.2^.be„hgvior.ffatter.M and the 
analysis of newly generated behavior patterns with reference to the stored behavior 
pattern, as in van der Made, fails to disclose '"an earlier behavior pattern" and a "later 
behavior pattern/' as argued by the Examiner, and fails to even suggest a "secondary set 
of identifying code operable to identify , within said stream , at least one secondary set of 
one or more external program calls associated with said primary set of one or more 
external program calls" (emphasis added), as claimed by applicant. 

Furthermore, applicant respectfully points out that detecting active viruses based 
on whether an executable program's behavior pattern is altered , as in van der Made, 
clearly fails to teach the use of a "secondary set of identifying code operable to identify, 
within said stream, at least one secondary set of one or more external program calls 
as ■•" dated with said primary set of osie or more external program calls" (emphasis 
added), where the 1 et one or more external progran ■ < ■ > \ \ esj one or 

tnore.mles indicati ve of malicious computer program activ ity from among a set of rules" 
(emphasis added), in the context claimed by applicant. Simply nowhere in the excerpts 
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relied on by the Examiner is there any teaching or suggestion of a "secondary set of one 
or more external program calls associated with said primary set of one or more external 
program calls," as claimed. 

In the Office Action mailed 1 1/O 1/2007, the Examiner has argued that "Made 
discloses pattern identifying code that can identify program calls associated with 
malicious activity and are also associated with another set of program calls such as ones 
that are content destructive since these calls are calls that are made as a result of the first 
set. of calls detected by patterns (6:43-63)." 

Applicant respectfully disagrees and asserts that Col. 6, lines 43-63 in van der 
Made merely discloses that "the analysis procedure specifically targets infection methods 
such as, but not limited to, the insertion of code to other executables or documents, 
submitting code to other applications to be transmitted or stored, insertion of code into 
high memory blocks and the modification of memory control blocks," and that "the 
analysis method further lookfs] for destructive content, such as, but not limited to, 
functions that overwrite disk areas or the BIOS ROM, or delete files or directories." 

Clearly, the exceq?ts from van der Made merely teach targeting particular 
infection methods, and separately looking for destructive content, which does not even 
suggest "identifying code that can identify program calls associated with malicious 
acm ity and - ssi 'dated with another set of program calls such as ones that are 

content destructive" (emphasis added), as the Examiner has noted. To this end, the 
excerpt from van der Made relied on by the Examiner simply does not teach a "secondary- 
set of identifying code operable to identify, within said stream, at least one secondary set 
of one or more external program calls associated with said primary set of one or more 
external program calls " (emphasis added), where the "primary set of one or more 
external program calls match[es ] one or more rules indicative of malicious computer 
program ac tivity from among a set of rules" (emphasis added), in the context claimed by 
applicant. 
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i\i the Office Action mailed 07/1 7/2008. the Examiner has argued that "van der 
Mode specii i ed behavior pattern does not change significantly 

between version updates, but does change dramatically when a virus infects a program.'.,, 
[s]ee column 6, lines 30-32." Additionally, the Examiner has argued that "van der Made 
meets the li.miiat.ion in question because am one of die be.b n ioj ittern logged h\ the 
virtual machine that is not considered 'drastically" changed can be considered the claimed 
'secondary set of one or more external program calls,' while the -drastically' changed 
behavior pattern would be considered the "primary set." 7 Further, the Examiner has 
argued that, "jtjhese patterns are associated to the extent that they are behavior patterns of 
the same program." 

Applicant respectfully disagrees and notes that the excerpt relied on by the 
Examiner merely discloses that "|Y]h.e generated behavior pattern does not change 
significantly between version updates, but does change dramatically when a virus infects 
a program" (Col. 6, lines 30-32), Additionally, applicant notes that van der Made 
discloses " dj^cj[in^]jnalKMOUs^oJte within a computer system by generating and 
subsequently analyzing a behavior pattern for each computer program introduced to the 
computet system''' (Abstract, not specifically cited ~ emphasis added). 

However, merely disclosing the generation and analysis of a behavior pattern for 
a computer program in a computer system, where a dramatically changed behavior 
pattern suggests that a program is infected with a virus, as in van der Made, does not 
disclose the existence of both "drastically" changed and non- l 'drasttcally" changed 
instances of behavior patterns of the same program in a computer system, as suggested by 
the Examiner, and tails to specifically suggest a "secondary set of identifying code 
operable to identify, within said stream , at least one secondary set of one or more external 
program .calls i assocMed i wkh i sai.d primary set of one or .mure .external jrogram 
calls '' (emphasis added), as claimed by applicant. 

Still with respect to independent Claims 1, 18 and 35, the Examines has again 
relied on Col. 6, lines 12-24; and Col 11, tines 46-60 from the van der Made reference to 
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make a prior art showing of applicant's claimed "modifying code operable to modify said 
set of rules such that said at least one secondary set of one or more external program calls 
are more stt >ngl as? dated w i h malicious computer program activity" (see this or 
similar, but not necessarily identical language in the independent claims). 

Applicant respectfully points out thai the excerpts from the van der Made 
reference relied upon by the Examiner merely teach "extracting a behavior pattern and 
sequence from a modified, new, unknown or suspect program" and that "[tjhe behavior 
pattern is preferably used to analyze the behavior of the unknown program to determine if 
the behavior of the unknown program is malicious" (Col 6, lines 13-17 - emphasis 
added). Such excerpts from van der Made also teach that the "ABM engine then analyzes 
the first executable program and finds that its behavior pattern is altered in a manner 
indicating that a virus is active" (Col. 11, lines 57-59 - emphasis added). 

However, appl icant respectfully asserts that analyzing "the behavior pattern of the 
unknown program," and detecting active viruses based on whether an executable 
program's] havi y a ern ij the cd as in van der Made, clearly fail to teach "modifying 
code operable to modify said set of rules such that said at least one secondary set of one 
or more external program calls are more strongly associated with malicious computer 
program activity " (emphasis added), as claimed by applicant, particularly where the 
"rales [are] indicative of malicious computer program activity" in the context claimed. 
Simply nowhere in the excerpts from the van der Made reference relied on by the 
Examiner is there any teaching or suggestion to "modify said set of rules," as claimed by 
applicant. 

In the Office Action mailed 11/01/2007, the Examiner has argued that "Made 
discloses modifying the behavior patterns as new malicious behavior is detected and as 
more malicious behavior is detected it associated the patterns and the calls that fail within 
the pattern more closely with tire malicious activity (6:25-43)." 
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Applicant respectfully disagrees and asserts that Col. 6, lines 25-43 m van. der 
Made simply teaches that "a virtual machine is used to generate a behavior pattern and a 
sequence," and thai "'[t]he generated behavior pattern does not change significantly 
between version updates, but does change dramatically when a virus infects a program." 
However, simply disclosing that a behavior pattern chan es whei in t 
pro gram , as in van der Made, does not even suggest that "as more malicious behavior is 
detected it associated the patterns and the calls that fall within the pattern more closely 
with the malicious activity" (emphasis added), as the Examiner has noted. Furthermore, 
a behavior pattern that changes when a virus mtects a program , as in van der Made, does 
not teach "'modifying code operable to modify sai d set of rules such that said at least one 
secondary set of one or more external program calls are more strongly a ssociated with 
malicious compiu pj g 1 ■ l (emphasis added) as claimed by applicant, 
particularly where the "rules [are] indicative of malicious computer program activity" in 
the context claimed. 

In the Office Action mailed 07/17/2008, the Examiner has argued that "van der 
Made shows (Col. 11, lines 36-60) that the .rules used to detect virus behaviors are 
changed from when an analysis showed [no] virus pattern, to a later analysis that, did 
sho[w] a virus pattern." 

Applicant respectfully disagrees and notes that the excerpt relied on by the 
Examiner merely discloses that "[i]n pre-mfection detection, the behavior pattern is 
analyzed [by the ABM engine] and is found to represent viral behavior for those new or 
modified p ro grams introduced to the system " and that "p]n post-infection detection the 
virus is caught the moment it attempts to infect the first executable on the PC," where 
"[t]he file hook mechanism detects this attempted change to an executable . . . [and t]he 
ABM engine then analyzes the first executable program and finds that its behavior 
pattern Is altered in a manner indicating that a virus is active" (Col 1 L lines 36-60 -■ 
emphasis added). 
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Howe\ei, meiely discio5Hiy the ana ^ i of beha ior p it ns Irs an \BMengme 
in order to find viral behavior, where the analysis is performed on newly introduced 
programs as well as on programs that pass initial detection but later attempt to change an 
executable, as in van der Made, does not disclose "that the rules used to detect vims 
behaviors are changed," as argued by the Examiner, and further fails to disclose 
"modifying code operable to modify said set of rules such that said at least one secondary- 
set of one or more external program calls are more strong !) associated with malicious 
computer program activity ." (emphasis added), as specifically claimed by applicant. 

In addition, with respect to independent Claims 1,18 and 35. the Examiner has 
relied on Col. 6, lines 12-24 (excerpted below) from the van der Made reference to make 
a prior art showing of applicant's claimed technique "wherein one of said at least one 
secondary set of one or more external program calls precedes said primary set of one or 
more externa! program calls within said stream of external program calls" (see this or 
similar, but not necessarily identical language in the independent claims), 

"Preferred implementations of the analytical behavior method 



allows icientiiicati.cn of visas carrying flies prior to infection 
it<; x e> 3 a ' ca so be 

< j jes tly 

analyze: the behavior the program following modi float: ion. to 
determine if its 5: anct: ions! ity has oo modified in a suspect 

(malicious) manner. This provides post-infection analysis." 

(Col, 6, lines 12-24 - emphasis added) 

Applicant respectfully points out that the excerpt from the van der Made reference 
relied upon by the Examiner merely teat hes exti acting a beha % lot pal tet i sod sequence 
from a modified, new, unknown or suspect program," and that "itlhe behavior pattern is 

t l feral |y yj e : v ^_ dyze the b o un ol the unknown program to determine if the 

behavior of the unknown program is malicious" {Col 6, lines 1 3-17 - emphasis added). 
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However, applicant respectfully asserts that only generally disclosing that "jtjhe 
behavior pattern is preferal k u ;ed to analyze the behavior of the unknown program,'" as 
in van ciej Made fails to s| disclose a technique "wherein one of said at least 

one secondary set of one or more external p regram ca l is precedes said primary set of one 
QLmore e xtejmai jrogratngaMs within said stream of external program calls" (emphasis 
added), as claimed by applicant. 

In the Office Action mailed 07/17/2008. the Examiner has argued that "[i]n van 
der Made, the behavior pattern that did not show a virus pattern would precede the 
behavior pattern that 'drastically" changed after infection." Applicant respectfully 
di agrees and again notes that van der Made merely discloses that 'ttjhe generated 
behavior pattern does not change significantly between version updates, but does change 
dramatically when a virus infects a program" (Cob 6, lines 30-32), in addition to 
disclosing 'detect! una! malicious code within a computer system by generating and 
subsequently analyzing a behavior pattern for each computer program introduced to the 
computer system" (Abstract - emphasis added). 

However, merely disclosing the generation and analysis of a behavior pattern for 
a compute! program in a computer system, where a dramatically changed behavior 
pattern suggests that a program is infected with a virus, as in van der Made, does not 
disclose the existence of both "drastically" changed and non-"drasiicalty" changed 
instances of behavior patterns of the same program in a computer system, as suggested by 
the Examiner, and fails to specifically suggest a technique "wherein one of said at least 
one secondary set of one or more external program calls precedes said primary set of one 
or more extern > g m di v> ithin t d stream of external program calls" (emphasis 
added), as specifically claimed by applicant. 

Furthermore, with respect to independent Claims 1,18 and 35, the Examiner has 
relied on Col. 1 1 , lines 46-59 {excerpted below) from the van der Made reference to 
make a prior art showing of applicant's claimed technique "wherein said set of rules is 
modified to include a new rule corresponding to said secondary set of one or more 
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external program calls, said new m!e thereafter being used in addition to other rules 
within said set of rules" (see this or similar, but not necessarily identical language in the 
independent claims). 



Post:- detection takes place- i .o oases when initial 

iniection is rrdosed by pre- inf action detection. e virus cox; id be 
n:issed by pre-inf eetio.o detection when it doss not perform any 

vectors that point to on infection routine. This is the case with 
so- ~ai led slow infect 1 i i i n 

In post- infection detection the virus is caught the moment it 
attempts to infect the first executable on the PC. The file hook 

{including doc -its-en t s j . The AB.M engine then analyzes; the first 
xecu t able p r. ogr a n d r 5 s ; 

in a manner indicating that, a torus is act i.ve . (Col . 11, lines 

4 6-59 - emphasis added) 



Applicant respectfully points out that the excerpt from the van der Made reference 
relied upon by the Examiner merely teaches detecting a virus in an executable program, if 
the program's ''behavior pattern is altered in a manner indicating that a virus is active" 
(Col. 11, lines 58-59 - emphasis added). 



However, applicant respectfully asserts that detecting an active virus in a program 
because the program's behaytpt •..pattern is i.ahered . as in van der Made, clearly does not 
teach that a " set of rules is modified to include a new rule corresponding to said 
secondary set of one or more external program calls" especially where "said new rule 
thereafter [is] used in addition to other rules within said set of rules" (emphasis added), as 
churned by applicant. 

In the Office Action mailed 07/17/2008, the Examiner has again argued that "van 
der Made shows (Col. 1 1, lines 36-60) that the rules used to detect virus behaviors are 
changed from when an analysis showed (no] virus pattern, to a later analysis that did 
sho[w] a virus pattern" 
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Applicant respectfully disagrees and again notes that the above excerpt relied on 
by the Examiner merely discloses that"[ijn pre-infectkm detection, the behavior pattern 
is analyzed [by the ABM engine] and is found to represent viral behavior for those new 
or modified programs introduced to the system " and that "li'jn post-infection detection the 
virus is caught the moment it attempts to infect the first executable on the PC," where 
"ftjhe file hook mechanism detects this attempted change to an executable. . . [and t]he 
vj 5M. g i gint hen a ia f : - the first executable program and finds that its behavior 
pam-in is ajtered in a manner indicating that a varus is active 5 ' (Col. 1 1 5 lines 36-60 - 
emphasis added). 

However, merely disclosing the analyai s of beha vior patterns by an ABM engine 
in order to find viral behavior, where the analysis is performed on newly introduced 
programs as well as on programs that pass initial detection but later attempt to change an 
executable, as in van der Made, does not disclose "that the rules used to detect virus 
behaviors are changed," as argued by the Examiner, and further fails to disclose that a 
" sjsiof roles .m^ corresponding to said secondary set of one 

or more external program calls/" especially where "said new rule thereafter [is] used in 
addition to other rules within said set of rules" (emphasis added), as specifically claimed 
by applicant. 

The Examiner is reminded that a claim is anticipated only if each and every 
element as set forth in the claim is found, either expressly or inherently described in a 
single prior art reference. Verdegctai Bros. v. Union Oil Co. Of California, 814 F. 2d 628, 
63 1 , 2 USPQ24 1051, 1053 (Fed. Or. 1987). Moreover, the identical invention must be 
show n in as complete detail as contained in the claim. Richardson v. Suzuki Motor 
Co.868 F.2d 1226, 1236, 9USPQ2d 1913, 1920 (Fed. Cir. 1989). The elements must be 
arranged as required by the claim. 

This criterion has simply not been met by the above reference excerpt(s ), as noted 
above. Nevertheless, despite such paramount: deficiencies and in the spirit of expediting 
the prosecution of the present application, applicant has amended each of the independent 
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claims to further distinguish applicant's claim language from the above reference by 
incorporating the subject matter of former dependent Claims 53 and 54. 

With respect to the subject matter of former Claim 53 (now at least substantially 
incorporated into the independent claims), the Examiner has relied on Col. 10, line 1 8~ 
Col. 1 i , line 23; and Col. 12, lines 26-41 from the van der Made reference to make a 
prior art. showing of applicant's claimed "determining whether said modified set of rules 
decrease malicious network traffic, and promoting said modified set of rules from a 
temporary set to a permanent set if it is determined that said modified set of rules 
decrease said malicious network traffic" (see this or similar, but not necessarily identical 
language in the independent claims). 

Applicant respectfully asserts that the excerpts from the van der Made reference 
relied upon by the Examiner merely teach that 'Itjhe sequencer contains the order in 
which the bits were set, identifying the infection sequence shown above" (Col. 10, lines 
55-57). Further, the excerpts teach thai "[t'jhe change detection module compares 
existing files at 6 levels to detennmi il die ide sva-> anah a .o i. v ' ysjy (Col 1 L lines 
8-9 - emphasis added). Additionally, the excerpts teach that "[ijn tests of a prototype 
implementation ABM system, the combination of pre-in fection (96%) and post-infection 
detection (4%) resulted in 100% detection of ail known v iral techniques , using a 
combination of new, modified and well-known viruses'- (Col. 12, lines 26-30 - emphasis 
added). 

However, identifying the infection sequence, comparing files to determine if the 
file was previo isi> a ah md > <d teaching that the combination ofpre-infection and post- 
infection detection resulted in 100% detection of all known viral techniques , as in van der 
Made, simply fails to suggest "malicious network traffic," much less "determining 
whether said modified set of rules decrease ma 1 ici o us n etwork traffic , and promoting said 
modified set of rules from a temporary set to a permanent set if it is determined that said 

difled set of rules de< j - 1 na v. ts i rt traj it (emphasis added), as 
c laimed by appl icant Clearly pre; t - ion of viral 
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techniques, in addition to identify mg an infection sequence, and determining if a file was 
previously analyzed, as in van der Made, simply fails to even suggest " promoting said 
modified set of .rules from a temporary set to a permanent set if it is determined that said 
modified set of rides decrease said malicious network traffic" (emphasis added), as 
claimed by applicant. 

In the Office Action mailed 07/17/2008, the Examiner has merely argued that "the 
remaining arguments are fully addressed in light of the above remarks" and has failed to 
specifically respond to applicant's above arguments with respect to applicant's claimed 
" promoting said modified set of rules from a temporary set to a permanent set if it is 
determined that said modified set of rules decrease said malicious network traffic " 
(emphasis added), as claimed by applicant Thus, a notice of allowance or specific prior 
art showing of each of the foregoing claim elements, in combination with the remaining 
claimed features, is respectfully requested. 

Additionally, with respect to the subject matter of former Claim 54 (now at least 
substantially incorporated into the independent claims), the Examiner has relied on Col. 
1 2, lines 26-41 from the van der Made reference to make a prior art showing of 
applicant's claimed "promoting code operable to determine whether said modified set of 
rules slows malware propagation, and to promote said modified set of rules from a 
temporary set to a permanent set. if it is determined that said modified set of rules slows 
said malware propagation" (see this or similar, but not necessarily identical language in 
the independent claims). 

Applicant again respectfully asserts that the excerpt from the van der Made 
reference relied upon by the Examiner merely teaches that "[ijn tests of a prototype 
implementation ABM system, the a . ibj 1 :tt > n uf pi c-mfection (96%) and post-infection 
detection (4%) resulted in 1 00% detection of ad known viral techniques , using a 
combination of new, modified and well-known viruses" (Col. 12, lines 26-30 -- emphasis 
added). 



-26- 



However, merely teaching that the combination of pre-infection and post- 
in fee i del don t tiled is h' v t t, i i '1 i 1 it nique is in let 
Made, simply fails to suggest " promotfiagj said modified set of rules from a temporary 
set to a permanent set ," much less "determhtpng] whether said modified set of rules 
slows malware propagation, and... pj^f^ingj * i m < ed . n s from a 
temporary set to a permanent set if it is determined that said modified set of rules slows 
saidmalwar e .pro pagation " (emphasis added), as claimed by applicant. 

Again, the foregoing anticipation criterion has simply not been met by the above 
reference exeerpt(s), as noted above. Thus,, a notice of allowance or specific prior art 
showing of each of the foi - it c iim elements, in combination with the remaining 
claimed features, is respectfully requested. 

Applicant further notes that the prior art is also deficient with respect to the 
dependent claims. For example, with respect to dependent Claim 7 et al., the Examiner 
has rejected the same under 35 U.S.C. 1 03(a) as being unpatentable over van der Made, 
in view of Obrecht et al (U.S. Patent Publication No. 2004/0064736). More specifically, 
the Examiner has relied on Paragraph [0039] from the Obrecht reference to make a prior 
art showing of applicant's claimed technique "wherein score values within a set of rules 
associated with said secondary set of one or more external program calls are increased to 
more strongly associate said secondary set of external program calls with malicious 
computer program activity," 

Applicant re lotes that the above excerpt from Obrecht relied on by the 

Examiner merely discloses that "[i]f the result of a malicious code detection routine 54 
indicates that the characteristic or behavior of the program being examined was that of a 
malicious code program, then a weight. . , is associated with the routine and that weight 
contributes positively to the malicious code score" (Paragraph [0039]). However, merely 
associating a weight with a routine if the routine indicates malicious program code 
behavior, as in Obrecht, fails to disclose a technique "wherein score values within a set of 
fule.s asspciaiet .th said s<. v nd j t of one or more external program calls are 
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inereased to more strongly associate said secondary set of external program, calis with 
malicious computer program activity" (emphasis added), as claimed by applicant. 

To establish a prima facie case of obviousness, three basic criteria must be met. 
First, there must be some sugge.sti.on or motivation, either in the references themsel ves or 
in the knowledge generally available to one of ordinary skill in the art, to modify the 
reference or to combine reference teachings. Second, there must be a reasonable 
expectation of success, f inally, the prior art reference (or references when combined) 
must teach or suggest, all the claim limitations. The teaching or suggestion to make the 
claimed combination and the reasonable expectation of success must both be found in the 
prior art and not based on applicant's disclosure. In re Vaeck,941 P.2d 488, 20 USPQ2d 
1438 (Fed.Cir.i 991). 

Applicant respectfully asserts that at least the third element of the prima facie 
case of obviousness has not been met, since the prior art excerpts, as relied upon by the 
Examiner, fail to teach or suggest all of the claim limitations, as noted above. 

Additionally, with respect to Claim 10 et. al., the Examiner has relied on Col 5, 
lines 16-39 from the van der Made reference to make a prior art showing of applicant's 
claimed technique "wherein said modifying code dynamically adapts said set of rules in 
response to detected streams of external program calls performing mal icious computer 
program activity" (see this or similar, but not necessarily identical language in the 
aforemen dotted claims). 



Applicant respectfully notes that the above reference excerpt relied, on by the 
Examiner merely discloses that "the behavior of a newly loaded or called prog ram is 
analyzed in a virtual machine that simulates a complete PC. . . and it is that virtual PC that 
generates the, behavior pattern J' where "ffjhe virtual PC simulates execution of the new 
or modified program. . . and the virtual PC monitors the behavior of the suspect program 
and jftjdcesjyerord of this behavior that can be analyzed to determine thai the target 
program exhibits virus or malignant behaviors" (Col, 5, lines 16-25 - emphasis added). 
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AddMonalJy, the excerpts disclose that tt [t]he result of the virtual execution by the virtual 
machine is a behavior pattern representative of the new program," where "the behavior 
pattern generated by the virtual PC identifies that a program is infected with a virus or is 
itself a vims" (Col. 5, lines 25-30). 

However, merely simulating the execution of a program, monitoring the behavior 
of the program, and making a record of the program behavior that can be analyzed for 
virus behavior, as in van der Made, fails to disclose k< dy ? < i said set of 

rules in response to detected streams of external program calls performing main ; ->u-. 
computer program activity " (emphasis added), as claimed by applicant. Nowhere in the 
above excerpt is " said set, of rules g dynamical ly adapted] in response to detected streams 
of external program calls performing malicious computet < uyi w nd\ it> < emphasis 
added), as specifically claimed. 

Additionally, with respect to Claim 17 et ah, the Examiner has relied on Col 12, 
lines 26-4 1 (excerpted below) from the van der Made reference to make a prior art 
) pp i! c ned technique "wherein said set of rules is subject to a 
validity check after modification to determine if said set of rules is more effectively 
detecting malicious computer program activity." 



using a combination of new, modified and well-known viruses. 
Other methods detected only 100% of known viruses and score- 
law < ha < < 1 sw, rr, * cj and \ vl;i 
No enacf f ;us r ,N {' ted for tescs involving signature 
'i ) t <. ~ ^ a 
direct representation of the mix of known,, modified and new, 
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Applieant respectfully points out that the excerpt from the van der Made reference 

■ i ) s i \ 1 1 i " i n mes iiscioss i s' ■ P a protots n JiL p 1 'if l_Aj Li 

system , the combination of pte-infection (96%) and post-infection detection (4%) 
resulted in 100% detection of all known viral techniques, using a combination of new, 
modified and well-known viruses" (Col. 12, lines 26-41 -■ emphasis added). 

However, applicant respectfully asserts that "tests of a prototype implementation 
ABM system," as in van der Made, clearly do not teach that a "set of rules is subject to a 

■ ltd it\ c heck aftei modification to determine if said set of rules is more effectively 
detecting malicious computer activity" (emphasis added), as claimed by applicant. 
Simply nowhere in the excerpt from the van der Made reference relied on by the 
Examiner is there any teaching or suggestion of a "validity check after modification [of 
said set of rules]," as claimed by applicant. 

In the Office Action mailed 1 1/01/2007, the Examiner has argued that "Made 
discloses a test on a prototype that analyzed the validity of the rules and Made discloses 
that validity is checked when patterns are detected in order to ensure no false alarms 
(J 0:52-11:7)." 




»v^h tllCo lX€ Ujb t. 

the behavior pattern points r~t>; iovioosiy tc ;rds - virus since 
such tricks are not normally used in normal applications. In any 
case, preferred irecd.ernsnratrons of. ".ho present retention r. eqy.i.re 

. . ; . ; ; : ; ; 

' _ 

physical PC environment. Because all parts of the virtual 
computer are virtealized in preferred *Rifcodiments, and at no time 
is the virteaiized program allowed to interact with the physical 
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compuu-er, there is no chance "hat vs. r.al code could escape iirorfs 
the vii! 5 ' .10, 

line 52 -- Col. 11, line 7 - emphasis added) . 

Applicant respectfully disagrees and asserts that the excerpt from the van der 
Made reference relied upon by the Examiner merely teaches that "[t'jhe behavior pattern 
contains lb. t i ■ ^ate that the user has not had the opportunity to interact with this 
process through user input" and that, "preferred implementations of the present, invention 

i i [ _ q i j vt to trigger a vis i i 1 falss 

positive warnings" (emphasis added). 

However, teaching that the behavior pattern contains flags indicating that the user 
has . not had the opportunity to jntem in addition to teaching that an 

infection procedure is required to be present to tri gger a virus warning , as in van der 
Made, simply fails to suggest that a "set of rules is subject to a validi ty c heck after 
modification to determine if said set of rules is more effectively detecting malicious 
computet' activity" (emphasis added), as claimed by applicant. Clearly, a flag in the 
behavior pattern indicating that the user has not interacted with the process , as in van der 
Made, simply fails to even suggest that a "set of rules is subject to a valid it y check a fter 
modification" (emphasis added), as claimed by applicant. 

hi the Office Action mailed 07/17/2008, the Examiner has argued that "van der 
Made effectively shows thai changed behavior analysis detected 4% of the virus that the 
initial analysis did not detect, and therefore meets the claim limitation; 5 Applicant 
respectfully disagrees and again notes that van der M ade merely discloses "tests of a 
prototype implementation ABM system; 5 where the ABM engine an alyzes behavior 
patterns in order to find viral behavior, and where the analysts is performed on newly 
introduced programs as well as on programs thai pass initial detection but later attempt to 
change an executable. 



However, merely testing an implementation of a system that analyzes behavior 
patterns of both newly introduced programs as well as programs that pass initial detection 
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but later attempt to change an executable, as in van der Made, clearly does not teach that 
a set of rules i i 1 i i rmine if said set of 

iuiesism>u letectin naiicious computer activity (emphasis added) as 

claimed by applicant. Simply nowhere in the excerpt from the van der Made reference 
relied on by the Examiner is there any teaching or suggestion of a "validity check after 
modification [of said set of rules]," as claimed by applicant. 

Additionally, with respect to Claim 52, the Examiner has relied on Col. 10, line 
18-Col. 11, line 23; and Col. 12, lines 26-41 from the van der Made reference to make a 
prior art showing of applicant's claimed ''applying high level rules to said modified set of 
rules, and promoting said modified set of rules from said temporary set to said permanent 
set based on the application of the high level rules to said modified set of rules" (as 
amended). 

Applicant respectfully asserts that the excerpts from the van der Made reference 
relied upon by the Examiner merely teach that "[tjhe sequencer contains the order in 
which the bits were set, idendfying the infe ction sequence shown above" (Col. 10, lines 
55-57 - emphasis added). Further, the excerpts teach that "[ t jhe change detection module 
compares existing files at 6 levels to determi ic it the hie was m u x\ \: . mush t( of 
1 L lines 8-9 - emphasis added). Additionally, the excerpts teach that "p.]n tests of a 
prototype implementation ABM system, the combination of pre-infection (96%) and 
post-mfeinon detection (4%! resulted m < .- uon of all known viral techniques, 

using a combination of new, modified and well-known viruses" (Col. .12, lines 26-30 - 
emphasis added). 

However, identifying the infection sequence, com paring files to determine if the 
file was previously analyzed., and teaching that die combination of pre- infection and post- 
infection detection resulted in 1 00% detection, of aj I k nown viral .techniques . as in van der 
Made, simply fails to suggest "applying high level rules to said modified set of rules, and 
promoting said modified set of rules from said temporary set my- a id p ermanent set based 
on the application of the high level rules to said modified set of rules" ( emphasis added), 
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as claimed by applicant. Clearly, pre-infection and post-infect ion detection of viral 

techniques in addition to kit <i t n, , u y. i vl ; i ice u o i li i fa fih was 

previously analyzed , as in van der Made, simply fails to even suggest promoting said 
modified set of rules from said temporary set to said permanent set based on the 
application of the high level rules to said modified set of rules" (emphasis added), as 
claimed by applicant. 

In the Office Action mailed 07/17/2008. the Examiner has merely argued that "the 
remaining arguments are fully addressed in light of the above remarks" and has tailed to 
specifically respond to applicant's above arguments with respect to applicant's claimed 
'promoting said modifi id i . ss from j id temporary setjo, said 
based on die application of the high level ndes to said modified set of rules" (emphasis 
added), as claimed by applicant Thus, a notice of allowance or specific prior art showing 
of each of the foregoing claim elements, in combination with the remaining claimed 
features, is respectfully requested. 

Again, with respect to the rejection under 35 U.S.C. 102(e), since the above 
anticipation criterion has simply not been met by the above reference excerpt.(s), as noted 
above, a notice of allowance or specific prior art showing of each of the foregoing claim 
elements, in combination with the remaining claimed features, is respectfully requested. 

Additionally, with respect to the rejection under 35 U.S.C. 103(a), since at least 
the third element of the prima facie case of obviousness has not been met, a notice of 
allowance or specific prior art showing of each of the foregoing claim elements, in 
combination with the remaining claimed features, is respectfully requested. 

Still yet, applicant brings to the Examiner's attention the subject matter of new 
Claim 55 below, which is added for full consideration: 
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"wherein one or more higher-lew! rules are applied to said modified set of 
rules to determine if said modified set of rales is more effectively detecting 
malicious computer program activity after modification" {see Claim 55), 

Again, a notice of allowance or a proper prior art showing of all of applicant's 
claim limitations, in combination with the remaining claim elements, is respectfully 
requested. 

Thus, all of the independent claims are deemed allowable. Moreover, the 
remaining dependent claims are further deemed allowable, in view of their dependence 
on such independent, claims. 

In the event a telephone conversation would expedite the prosecution of this 
application, the Examiner may reach the undersigned at (408) 505-5100. The 
Commissioner is authorized to charge any additional fees or credit any overpayment to 
Deposit Account No. 50-1351 (Order No. NAI1P489). 

Respectfully submitted, 
Zilka-Kotab, PC 
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